CVE-2021-33913

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2021-33913
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-33913.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-33913
Related
Published
2022-01-19T18:15:07Z
Modified
2024-12-05T15:28:35.712689Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

libspf2 before 1.2.11 has a heap-based buffer overflow that might allow remote attackers to execute arbitrary code (via an unauthenticated e-mail message from anywhere on the Internet) with a crafted SPF DNS record, because of SPFrecordexpanddata in spfexpand.c. The amount of overflowed data depends on the relationship between the length of an entire domain name and the length of its leftmost label. The vulnerable code may be part of the supply chain of a site's e-mail infrastructure (e.g., with additional configuration, Exim can use libspf2; the Postfix web site links to unofficial patches for use of libspf2 with Postfix; older versions of spfquery relied on libspf2) but most often is not.

References

Affected packages

Alpine:v3.14 / libspf2

Package

Name
libspf2
Purl
pkg:apk/alpine/libspf2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.11-r0

Affected versions

1.*

1.2.9-r0
1.2.9-r1
1.2.9-r2
1.2.9-r3
1.2.9-r4
1.2.9-r5
1.2.9-r6
1.2.9-r7
1.2.9-r8
1.2.10-r0
1.2.10-r1
1.2.10-r2
1.2.10-r3
1.2.10-r4
1.2.10-r5

Alpine:v3.15 / libspf2

Package

Name
libspf2
Purl
pkg:apk/alpine/libspf2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.11-r0

Affected versions

1.*

1.2.9-r0
1.2.9-r1
1.2.9-r2
1.2.9-r3
1.2.9-r4
1.2.9-r5
1.2.9-r6
1.2.9-r7
1.2.9-r8
1.2.10-r0
1.2.10-r1
1.2.10-r2
1.2.10-r3
1.2.10-r4
1.2.10-r5
1.2.10-r6

Alpine:v3.16 / libspf2

Package

Name
libspf2
Purl
pkg:apk/alpine/libspf2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.11-r0

Affected versions

1.*

1.2.9-r0
1.2.9-r1
1.2.9-r2
1.2.9-r3
1.2.9-r4
1.2.9-r5
1.2.9-r6
1.2.9-r7
1.2.9-r8
1.2.10-r0
1.2.10-r1
1.2.10-r2
1.2.10-r3
1.2.10-r4
1.2.10-r5
1.2.10-r6
1.2.10-r7

Alpine:v3.17 / libspf2

Package

Name
libspf2
Purl
pkg:apk/alpine/libspf2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.11-r0

Affected versions

1.*

1.2.9-r0
1.2.9-r1
1.2.9-r2
1.2.9-r3
1.2.9-r4
1.2.9-r5
1.2.9-r6
1.2.9-r7
1.2.9-r8
1.2.10-r0
1.2.10-r1
1.2.10-r2
1.2.10-r3
1.2.10-r4
1.2.10-r5
1.2.10-r6
1.2.10-r7

Alpine:v3.18 / libspf2

Package

Name
libspf2
Purl
pkg:apk/alpine/libspf2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.11-r0

Affected versions

1.*

1.2.9-r0
1.2.9-r1
1.2.9-r2
1.2.9-r3
1.2.9-r4
1.2.9-r5
1.2.9-r6
1.2.9-r7
1.2.9-r8
1.2.10-r0
1.2.10-r1
1.2.10-r2
1.2.10-r3
1.2.10-r4
1.2.10-r5
1.2.10-r6
1.2.10-r7

Alpine:v3.19 / libspf2

Package

Name
libspf2
Purl
pkg:apk/alpine/libspf2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.11-r0

Affected versions

1.*

1.2.9-r0
1.2.9-r1
1.2.9-r2
1.2.9-r3
1.2.9-r4
1.2.9-r5
1.2.9-r6
1.2.9-r7
1.2.9-r8
1.2.10-r0
1.2.10-r1
1.2.10-r2
1.2.10-r3
1.2.10-r4
1.2.10-r5
1.2.10-r6
1.2.10-r7

Alpine:v3.20 / libspf2

Package

Name
libspf2
Purl
pkg:apk/alpine/libspf2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.11-r0

Affected versions

1.*

1.2.9-r0
1.2.9-r1
1.2.9-r2
1.2.9-r3
1.2.9-r4
1.2.9-r5
1.2.9-r6
1.2.9-r7
1.2.9-r8
1.2.10-r0
1.2.10-r1
1.2.10-r2
1.2.10-r3
1.2.10-r4
1.2.10-r5
1.2.10-r6
1.2.10-r7

Alpine:v3.21 / libspf2

Package

Name
libspf2
Purl
pkg:apk/alpine/libspf2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.11-r0

Affected versions

1.*

1.2.9-r0
1.2.9-r1
1.2.9-r2
1.2.9-r3
1.2.9-r4
1.2.9-r5
1.2.9-r6
1.2.9-r7
1.2.9-r8
1.2.10-r0
1.2.10-r1
1.2.10-r2
1.2.10-r3
1.2.10-r4
1.2.10-r5
1.2.10-r6
1.2.10-r7

Debian:11 / libspf2

Package

Name
libspf2
Purl
pkg:deb/debian/libspf2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.10-7.1~deb11u1

Affected versions

1.*

1.2.10-7
1.2.10-7.1~deb10u1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:12 / libspf2

Package

Name
libspf2
Purl
pkg:deb/debian/libspf2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.10-7.1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / libspf2

Package

Name
libspf2
Purl
pkg:deb/debian/libspf2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.10-7.1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}